How to drop or block Skype connections with your gateway firewall

Today, network admins face a very hard job trying to protect their internal LAN: if, 15 years ago, the Internet was basically a simple, yet large, client-server network, today we have a much varied environment.

One of the more difficult things to drop or block are P2P protocols: for their very nature, these protocols imply HTTP/S-tunneled client-to-client communications, and so they are quite hard to properly discover at the gateway level. Skype is one of these application: if it can not use its default ports, it tunnel itself into an HTTPS stream.

For this reason advanced, UTM-aware firewalls often block Skype and other P2P protocols inspecting packets as deeply as at the layer7 level, looking at specific application's signatures. However, application's signatures often changes with newer software versions, so you had to wait for an updated firmware/signature pack from your vendor. Also, HTTPS-tunneled protocols can be very hard to detect/block, as it is an encrypted protocol. Moreover, many in-production firewalls are not UTM-enabled devices, or they simply don't have the required application signatures.

So, how can we drop Skype independently of UTM awareness? Let's first learn a bit about how Skype works.